-

Towards Modeling Role-Based Page ow De nitions within Web Applications

Ernst Oberortner

Martin Vasko

Schahram Dustdar

e.oberortner

m.vasko

dustdar@infosys.tuwien.ac.at}

0 0 Technical University of Vienna Distributed Systems Group Argentinierstra e 8/184-1 A-1040 Vienna Austria

Model-Driven Software Development (MDSD) can be used to enhance developing and maintaining web applications. Furthermore, security plays a crucial role in the area of web applications. A seamless integration of access control and modeling web applications becomes important. This work introduces model-driven integration of security concerns into the development life cycle of web applications. In this paper, a static design model is introduced which enables the assignment of Role-Based Access Control (RBAC) to the page ow at design time. The approach is demonstrated by a generated web application with de ned security constraints which can be deployed on the Apache Tomcat web server.

Due to the increasing complexity of web applications, their development and maintenance becomes more di cult [ 1 ]. To nd a remedy, Model-Driven Software Development (MDSD) can be used. It addresses the reduction of development time, the quality of the software, a high level of abstraction for better maintenance, as well as to achieve better portability and interoperability [ 2 ].

Besides rising demands on the web application architecture, the seamless integration of access control becomes important. Role-Based Access Control (RBAC) is a technique for multiple user systems and networks and was introduced 1992 by Ferriaolo and Kuhn [ 3 ]. RBAC is used by organizations to protect their information resources from unauthorized access [ 4 ]. Nowadays, RBAC is a favored technique because it provides an easy way of administrating security [ 5 ]. RBAC provides possibilites to model security requirements of today's web applications through complex role hierarchies and restricted access to prede ned users.

A common problem of securing web applications lies in the late integration of security at the test phase or at the end of the development process. It is recommended to integrate security into the life cycle of a web application [ 6 ]. The integration of security with MDSD leads to a high level formulation of security aspects [ 7 ]. The model-driven integration of RBAC models into system design models has been proved to be a feasible approach [ 8 ].

This work introduces a static design model which enables role-based securing of web applications based on the page ow. Our approach is focused on the design of secure web applications. For the time being, no models are provided for modeling security which is established during runtime. Our approach is demonstrated by a generated JavaServer Faces (JSF) [ 9 ] web application with de ned security constraints, and which is deployed on the Apache Tomcat web server [ 10 ].

This paper is organized as follows: Section 2 demonstrates a motivating example for a model-driven approach for securing web applications. Section 3 shows the background of used technologies and methodologies. An architectural overview gives Section 4. Section 5 demonstrates the implementation of our approach and an example. Section 6 highlights related work. Finally, Sections 7 and 8 complete the paper with future prospects and a conclusion. 2

Motivating example

A sample web application is introducing the motivation of our approach. The application implements a user administration where visitors1 can list all users, request detailed information on each user, add new users, delete existing users, and change user details.

<<instance of>>

Page +PageID : string +Name : string

AddUser:Page +User +list()

ChangeUser:Page +User +updateUser() +list() +detailUser()

DeleteUser:Page +User +deleteUser() +list() +detailUser() UserDetails:Page +User +changeUser() +deleteUser() +list()

ListUsers:Page +changeUser() +deleteUser() +list() +addUser() +detailUser() 1 As the term users might be ambiguous, we refer to web application users as visitors, and the term users refers to the design model. 1. Deny access to unregistered visitors to all web pages 2. Registered visitors need to be assigned to one of the following roles:

Admin, GroupLeader, or GroupMember 3. Members of the role Admin may access all web pages 4. Members of the role GroupMember may request only user details 5. Members of the role GroupLeader may access all information concerning the members of the role

Derived from these security constraints, the UML statechart models, illustrated in Figure 2, demonstrates the resulting page ows of each role.

Delete User

Delete User List Users

User Detail Change User

List Users

User Detail Change User

List Users

User Detail Start

Start

Add Users a) Web application

Add Users b) Group Leader c) Group Member

This sample web application indicates two restrictions: 1. Restricted Web Pages: Pages of the web application are restricted to a prede ned role of visitors. E.g., members of the GroupMember role do not have access to the Add-, Change- or Delete User web pages. 2. Restricted Content: Results of requests to the application depend on the requester's role membership. E.g., members of the GroupLeader role, requesting a list of users, retrieve only users assigned to their role.

The stated restrictions can be divided into two categories: restrictions that can be de ned (1) at design time, and (2) at runtime of the web application. E.g., at design time it can be de ned that only users of the Admin or GroupLeader roles can access the AddUsers web page. But, the content of the web page depends on the role of the visitor. The role of the visitor is known only at runtime. Hence, the content must be generated at runtime. This is established by the business logic of the web application.

We identi ed the de nition of restrictions at design time as an ideal candidate to integrate an RBAC model into the static design model and generate web applications from these models. Throughout the paper, the approach of applying RBAC on the page ow is introduced. 3

Background

For a better understanding, this section provides an overview of used technologies and methodologies. First, a de nition of our understanding of a page ow is given. Afterwards, the application of MDSD on our approach is demonstrated. 3.1

De nition of Page ow

The Model-View-Controller (MVC) [ 12 ] pattern is a design pattern which divides the responsibilities clearly into Model, View and Controller. The Model encapsulates data and behavior of web applications, independent of their representation. The View represents the presentation layer and is responsible for rendering the data, according to the type of client, by processing the results of the Model. The Controller has to select the subsequent web page or view which should be displayed to visitors by handling visitor's interactions, e.g., submitting the entered data of a form. These interactions are performed by calling actions on the Model. Based on the interactions and the outcomings of the performed actions, the Controller selects the next web page which is displayed to the visitor.

The basis of selecting the appropriate web page is de ned in the page ow. Hence, the page ow describes to which web pages visitors can navigate, dependent on the current page. In our work, the visitor can only navigate to other web pages by interactions with hyperlinks or buttons. The subsequent web page depends on the hyperlink or button which the visitor clicks and in which roles the visitor is member of. A well arranged readability of the page ow can be achieved by de ning the page ow with Java-like IF-ELSE statements. 3.2

Model-Driven Software Development (MDSD) of Constraints which are de ned on the constructs of the metamodel. Valid models are passed to the Code Generator which generates executable code and the needed con guration les, i.e., in our case a JSF web application for the Apache Tomcat web server. In our work, the code generation process is based on Templates which are also de ned on the constructs of the metamodel. 4

Architectural Overview

This section presents implementation details to achieve joint modeling of RBAC and page ow of web applications. First, the used technologies are mentioned. (a) (a)

MDSD (b) p1 deploy Then, the most important implementation details are presented: the metamodel, the model validation constraints and the code generation templates. Afterwards, an insight to the generated code is given. Finally, the feasibility of our approach is demonstrated on the motivating example presented in Section 2. 5.1

Used Technologies

The metamodel is de ned through an Eclipse Modeling Framework (EMF) Ecore [ 13 ] model. For the time being, models are described in the XML Metadata Interchange (XMI) [ 14 ] format which is used for interchanging models between di erent modeling tools. Model validation and code generation are implemented by the use of openArchitectureWare (oAW) [ 15 ]. oAW is an Eclipse 2 based framework that a ords model validation and template based code generation. Model validation is done through constraints which are de ned in the oAW Check Language. Also, oAW provides the Xpand language which is used for the de nition of the code generation templates. For the time being, only secured JavaServer Faces (JSF) [ 9 ] web applications for the Apache Tomcat web server [ 10 ] are generated. 2 http://www.eclipse.org 1 * -page * page

Page -Name : String 1 Decision 1 1 * -sstatratPrtaPgaege gotoPage -gotoPage

WebApplication -name : String 1..* 1

-role * role

Role -name : String The metamodel is presented by a UML class diagram in Figure 5. Each WebApplication consists of a number of Pages, and one page is depicted as the startPage. Pages contain NavigationRules which de ne the page ow. The classes If, ElseIf and Else are de ned to achieve a Java-like IF-ELSE page ow de nition. These classes are derived from the Decision class which contains a reference to the subsequent web page through the gotoPage association. The referenced web page is displayed if the outcome of the performed actions is equivalent to a corresponding outcome attribute, speci ed in the If and ElseIf classes. If no corresponding outcome attribute is found, the web page speci ed by the gotoPage reference of the Else class is displayed to the visitor.

The assignment of RBAC to the de nition of the page ow is provided through the association between the Decision and Role classes. Hence, an IF-ELSE definition of a rolebased page ow de nition is achieved, e.g.,

IF outcome="..." AND role="..." THEN gotoPage="..." As introduced by Sandhu et. al. [ 5 ], a Role consists of one or more Users and of one or more Permissions. For the time being, a Permission is responsible to de ne if a user has access to a certain web page or not. It is planned that more permissions will be introduced, e.g., write or publish web pages.

It is possible to use Aspect Oriented Modeling (AOM) for modeling the page ow and RBAC. AOM supposes a clear separation into multiple models. This means, that our metamodel can be splitted into two separate metamodels, * NavigationRule * 1

If ElseIf -outcome : String -outcome : String

Permission -description : String one for modeling the page ow, and one for modeling RBAC. But, AOM needs clear de ned integration points for merging the models. Our approach de nes an association between the classes Decision and Role, instead of integration points. But, the use of AOM seems to be an alternative modelling technique. This approach is subject of further research and evaluation and is out of the scope of this work. 5.3

A Model of a Role-Based Page ow

Figure 6 shows an excerpt of a UML object diagram which represents the motivating web application introduced in Section 2. Page ListUsers contains one NavigationRule which consists of one If which refers to the UserDetails page via the gotoPage reference. The speci ed outcome attribute in the if object contains the string gotoUserDetails. Furthermore, a roles reference exists, which references to the GroupMember role. Hence, the IF-ELSE de nition of the rolebased page ow looks like:

IF outcome="gotoUserDetails" AND role="member1" THEN

gotoPage="UserDetails" All navigation rules of all web pages and their associations to roles are de ned similar.

Login : WebApplication The second one de nes that each Role must have a name. The last one de nes that each NavigationRule must consist of at least one if. If models do not ful ll these constraints, an error is raised, e.g., 'no name for role defined !'. context WebApplication ERROR 'no start page defined ! ':

startPage != null ; context Role ERROR 'no name for role defined ! ':

this . name != null ; context NavigationRule ERROR 'no navigation rule defined ! ': this . ifDecision != null ; «DEFINE Root FOR RoleBasedPageflow :: WebApplication» «FILE name +"/ WEB - INF / web . xml "-» ...

«FOREACH this . role AS r»

«EXPAND GenRole FOR r -» <security - constraint > <display - name > </ display - name > «EXPAND GenRoleAccessPages ( this ) FOR r -» <auth - constraint > < description >«r. description» </ description > <role - name >«r.name» </ role - name > </ auth - constraint > </ security - constraint > «ENDFOREACH -» ... «ENDFILE» «ENDDEFINE» ...

First, a Root label is de ned for objects of type WebApplication, i.e., that each WebApplication gets its own web.xml le. For each Role, a <securityconstraint> element is generated which contains all web pages that can be accessed by the members of this role. The <role-name> element is stated within the <auth-constraint> element. The information of Pages is denoted by <webresource-collection> elements.

For the time being, only templates for web applications of the Apache Tomcat web server [ 10 ] were implemented. For other web servers, new code generation templates must be implemented. 5.6

Generated Code

This section discusses similar approaches which deal with RBAC and web applications. It is divided into two parts: works dealing with (1) modeling web applications and (2) securing web applications. Baresi et. al. [ 17 ] present the W2000 MOF metamodel which is divided into four higher level packages: (1) Information, (2) Navigation, (3) Presentation, and (4) Dynamic Behavior. The rst three packages de ne models, i.e., (1) Information Model, (2) Navigation Model, and (3) Presentation Model. The Dynamic Behavior package is spread over all models. The Information Model contains the contents available to the user. The Navigation Model is based on the Information Model. In contrast to our approach, which controls the navigation between web pages, the W2000 Navigation Model controls the navigation between information elements on web pages.

Distante et. al. [ 18 ] introduce a model-driven approach for combining the development of the Ubiquitous Web Applications (UWA) design framework, the MVC pattern, and JavaServer Faces (JSF). UWA provides conceptual models at a high level of abstraction which can be used by the stakeholders. To provide useful information to the application developers, the UWA conceptual models are transformed to UML-MVC logical models. Both, the conceptual and logical models are platform independent. They are transformed to platform speci c models, i.e., JavaServer Faces.

Schwabe et. al. [ 20 ] introduce the Object-Oriented Hypermedia Design Method (OOHDM) which provides multiple models for modeling web applications. The application domain is modeled with a conceptual design model. The navigational model is de ned through di erent views which are build upon the conceptual model. This methodology allows the construction of di erent views for di erent user pro les.

The Orbeon Page Flow Controller [ 22 ] provides a separation of describing the site logic and the page ow. Hence, the simplicity gets enhanced because there is no need to write custom logic to perform redirects between pages or to pass arguments. Furthermore, the maintainability is enhanced through the independent implementation of pages and the page ow. Hence, it is easier to de ne the page ow without e ecting pages or vice versa. Security aspects are not yet considered in the Oreon Page Flow Controller, i.e., the administrator has to de ne the security manually in the web.xml deployment descriptor. In contrast, our approach provides the modeling of those security aspects. Hence, it will be an interesting research area how to combine our approach with the Orbeon Page Flow Controller for future work. 6.2

Securing Web Applications

J.D. Meier [ 6 ] discusses common mistakes in the area of security engineering for web applications: mistakes that are done (1) at the beginning (do-it-all-up-front), (2) at the end (bolt-on), (3) during the test phase (big-bang), (4) by de ning security without targets, e.g., rewalls, SSL (buckshot) and, (5) by addressing security after a failure (all-or-nothing). Meier gives the advice that the most e ective approach is to \bake" security into the application's lifecycle.

Ceri et.al. introduce the Web Modeling Language (WebML) [ 19 ]. The approach provides multiple models for modeling di erent concerns of web applications. Due the relation to our work, we concentrated on the Navigation and Personalization models. Contextual and non-contextual links are provided. Furthermore, not only the user chooses what content to see, e.g., by clicking hyperlinks, but also the system determines which page and/or content should be show automatically. Regarding security of web applications, the personalization model is introduced, for de ning users and user groups, as well as customizations. Users and user groups are mapped to WebML users and groups. At this point we can engage the creation of code generation templates which generate WebML users and groups. Furthermore, we can consider the WebML solution for modeling runtime security concerns in our future works.

Zang, Baumeister, Koch and Knapp [ 23 ] propose an aspect-oriented technique for access control in web applications. The approach is associated to the Navigation Model of UML-based Web Engineering (UWE) [ 24 ]. UML state machines are used to specify access control. Each navigation node is extended by a state machine that speci es the behavior. Furthermore, constraints are introduced which check that each navigation node has exactly one state machine. To introduce aspect oriented access control, the stereotype « aspect » is de ned. Aspects are sets of web pages. Access control rules are de ned on aspects. Hence, rules need to be speci ed once for a number of web pages. Furthermore, aspects can contain other aspects.

Bammigatti and Rao introduce the GenericWA-RBAC approach [ 25 ] which is based on the constrained RBAC model, introduced by Sandhu et. al. [ 5 ]. The original RBAC model is extended by an ORGN component that represents a set of organizations that have access to the system. A modular system architecture is introduced that is divided into: (1) An Access Control Module which is a process responsible for authentication of roles and authorizations, (2) the ORGN Manager which determines the origin of the requested organization, (3) a Role-to-Role mapper that maps roles of the external organization to native organization roles, (4) a Role-to-Access right mapper which decides access rights for the mapped role, and (5) an Object Management component that is responsible for checking requested queries against sensitive data.

Lodderstedt et. al. introduce the SecureUML approach [ 7 ]. SecureUML is an extension to the UML metamodel for RBAC. The SecureUML model is bound to the ModelElement class of the UML metamodel. It provides possiblities to dene roles, users, and permissions. Furthermore, additional support for specifying authorization constraints and action types is given. An authorization constraint expresses a precondition imposed on every call to an operation of a particular resource. An action type is a class of security operations to protect particular types of resources. SecureUML is an approach for integrating security concerns into UML based model-driven application engineering. 7

Future Work

Our current approach is able to assign RBAC to the page ow of web applications based on MDSD. But, there is still a lot of work to do in the future. One of the major future prospects is to have a closer look to existing model-driven approaches for securing web applications, e.g., WebML, OOHDM, or UWE. We have to consider how they can be combined with our work. Furthermore, we need to consider web applications that can be deployed on other web servers than the Apache Tomcat web server. Another future prospects regards the modeling access control of restricted contents, i.e., access control at runtime.

Our approach assigns a simple RBAC model in contrast to the RBAC models introduced by Sandhu et. al. [ 5 ]. First, we have to de ne many-to-many relations for user and permission assignments to roles. Besides we have to de ne sessions that are also included in RBAC models. Furthermore we want to do more research for applying Static Separation of Duty (SSD) as well as Dynamic Separation of Duty (DSD) to the meta-model. When we apply the complete RBAC models to our approach, we have to evaluate if applying Aspect Oriented Modeling (AOM) on the metamodels is advisable, i.e., a separation into navigation and access metamodels. A separation into multiple models can bring better maintainability as well as a better separation into the development team. But good integration points for merging have to be de ned.

A lot of work has been done in the area of modeling security for web services. Certainly, it is important to have a closer look into this approaches for a possible application to our approach. Also, further work can be applied to have a closer look to model actions. Actions are executed if a violation was prevented, e.g., sending a mail to an administrator or raising an alarm. 8

Conclusion

This paper gave an overview of our approach of assigning RBAC to the pageow of web applications based on MDSD. Thereby, the security concerns can be applied at a high level of abstraction, independent of the desired platform. Our approach concentrated on de ning RBAC at the design time of web applications. Security concerns which must be checked at runtime, were out of scope. A static design model, model validation constraints, and a code generation component were introduced. Finally, an example of a generated web application demonstrated our approach.

This work has shown that it is feasible to use MDSD for integrating RBAC to the page ow of web applications. Hence, this approach facilitates a seamless integration of access control and the modeling web application.

Sam

Chung and Yun-Sik Lee : Modeling Web Applications Using Java and XML Related Technologies . In: HICSS '03: Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9 , Washington, DC, USA, IEEE Computer Society ( 2003 ) 322

Thomas

Stahl and Markus Voelter: Modellgetriebene Software Entwicklung: Techniken, Engineering, Management. dpunkt.verlag GmbH ( 2005 )

Ferraiolo and

Kuhn : Role-Based Access Controls . In: 15th NIST-NCSC National Computer Security Conference . ( 1992 ) 554 { 563

Indrakshi

Ray and

Li and Robert France and Dae-Kyoo Kim: Using UML to Visualize Role-Based Access Control Constraints . In: SACMAT '04: Proceedings of the ninth ACM symposium on Access control models and technologies , New York, NY, USA, ACM ( 2004 ) 115 { 124

5. Ravi

Sandhu and Edward J.

Coyne and Hal L. Feinstein and Charles E. Youman: Role-Based Access Control Models . Computer 29 ( 2 ) ( 1996 ) 38 { 47

6. Meier , J.D. : Web Application Security Engineering. Security & Privacy, IEEE 4(4) (July-Aug 2006 ) 16 { 24

Torsten

Lodderstedt and

David A.

Basin and Jurgen Doser: SecureUML: A UMLBased Modeling Language for Model-Driven Security . In: UML '02: Proceedings of the 5th International Conference on The Uni ed Modeling Language , London, UK, Springer-Verlag ( 2002 ) 426 { 441

David

Basin and Jurgen Doser and Torsten Lodderstedt: Model Driven Security: From UML Models to Access Control Infrastructures . ACM Trans. Softw. Eng. Methodol . 15 ( 1 ) ( 2006 ) 39 { 91

9. Mann , K.D.: JavaServer Faces in Action (In Action series). Manning Publications Co., Greenwich , CT , USA ( 2004 )

10. Apache Software Foundation: Apache Tomcat. Website ( 2008 ) Available online at http://tomcat.apache.org/.

11. James Rumbaugh and Ivar Jacobsen and Grady Booch: The Uni ed Modeling Language Reference Manual . Addison - Wesley ( 1998 )

12. Robert Eckstein: Java SE Application Design With

MVC

( March 2007 ) Available online at http://java.sun.com/developer/technicalArticles/javase/mvc/.

13. Eclipse Modeling Framework Project: ( 2008 ) Available online at http://www.eclipse.org/modeling/emf/.

14. Object Management Group (OMG): XML Metadata Interchange (XMI) , v2 . 1 . 1 ( 2007 ) Available online at http://www.omg.org/technology/documents/formal/xmi.htm.

15. openArchitectureWare: ( 2008 ) Available online at http://www.openarchitectureware.org/.

16. Pierre-Alain Muller and Philippe Studer and Jean Bezivin: Platform Independent Web Application Modeling . In Stevens, P., Whittle , J. , Booch , G., eds. : UML . Volume 2863 of Lecture Notes in Computer Science., Springer ( 2003 ) 220 { 233

17.

Garzotto ,

Baresi , and M. Maritati: W2000 as a MOF Metamodel . (2002) In The 6th World Multiconf. on Systemics, Cybernetics and Informatics-Web Engineering track .

18. Damiano Distante and Paola Pedone and Gustavo Rossi and Gerardo Canfora: Model-Driven Development of Web Applications with UWA, MVC and JavaServer Faces . In Baresi, L., Fraternali , P. , Houben , G.J., eds. : ICWE . Volume 4607 of Lecture Notes in Computer Science., Springer ( 2007 ) 457 { 472

19. Stefano Ceri and Piero Fraternali and Aldo Bongio: Web Modeling Language (WebML): a modeling language for designing Web sites . Comput. Netw . 33 ( 1-6 ) ( 2000 ) 137 { 157

20. Daniel Schwabe and Gustavo Rossi: An Object Oriented Approach to Web-Based Application Design . Theor. Pract. Object Syst . 4 ( 4 ) ( 1998 ) 207 { 225

21. Natacha Guell and Daniel Schwabe and Patricia Vilain: Modeling Interactions and Navigation in Web Applications . In: ER '00: Proceedings of the Workshops on Conceptual Modeling Approaches for E-Business and The World Wide Web and Conceptual Modeling , London, UK, Springer-Verlag ( 2000 ) 115 { 127

22. Orbeon: Orbeon Forms User Guide - Page Flow Controller (May 2008 ) Available online at http://www.orbeon.com/ops/doc/reference-page- ow.

23. Zhang , G., Baumeister , H. , Koch , N. , Knapp , A. : Aspect-Oriented Modeling of Access Control in Web Applications . In: Proc. 6th Int. Wsh. Aspect Oriented Modeling (WAOM'05) , Chicago ( 2005 )

24.

Christian

Kroiss and Nora Koch: UWE Metamodel and Pro le: User Guide and Reference . ( 2008 ) LMU Technical Report .

25. Bammigatti , P.H.

and

Rao , P.R.:

GenericWA-RBAC: Role Based Access Control Model for Web Applications . Information Technology, 2006 . ICIT ' 06 . 9th International Conference on ( 18 - 21 Dec. 2006 ) 237 { 240